Internet Security and Legal Compliance: Cyber Law in India

Internet Security and Legal Compliance: Regulating Cyberspace – Version 2.0 Rodney D. Ryder Rodney D. Ryder Scriboard

Internet Security and Legal Compliance: Regulating Cyberspace – Version 2.0
Part 1 – Internet Law and Policy
Information Technology Act, 2000
Structuring a policy
Current law in India
Part 2 – Data Privacy and Digital Rights Management [Challenges and Strategies]
Data Protection legislation around the world
European Commission Directive and the UK Act
Data Protection model: the United States
Digital Rights Management
Rodney D. Ryder Scriboard

The need for a national strategy Internet Law and Policy: New Media Regulation and India Rodney D. Ryder Scriboard

Speed and Convenience
Mobile access
Personalised and tailored
Data mining sophistication
Loss of control
Insecurity
Lack of confidence
Increased scepticism
Low uptake of eCommerce
The need for a strategy - to secure Cyberspace
Technological advances in data storage and transmission
Globalisation of communications - the internet
Convergence and standardisation of technologies
Increasing importance of data processing

The Rise [and fall?] of Cyberspace
The Internet – ‘decentralised routing system’ – designed to carry messages from point to point even if intermediate communication exchanges are blocked, damaged or destroyed. <the dumb network>
‘ The net interprets censorship as damage, and routes around it’. John Gilmore, Lawless, The Economist, July 1995.
<Cyberspace>; <Neuromancer> and the “Network” [A place governed by its own laws - as introduced by William Gibson ]
“ Law and Borders”: the ‘independent’ theory of cyberspace law [David Post and David Johnson, Stanford Law Review]
Benkler’s layers – the physical, the code and content [in communications theory]
Lessig <Code and other laws of Cyberspace>
Ryder <Regulating ‘Indian’ Cyberspace>
Goldsmith and Wu <Who Controls the Internet? The Illusions of a Borderless World>

The ‘New Medium’ and the Law
Securing “Indian” Cyberspace [regulations and the history of trade – towards pax mercatur ]
Law and Technology – ‘functional equivalence’
The basic premise: the machine or the medium
Adaptability and Enforcement of Indian law – lessons from the American experience [Adobe Systems v. Dmitry Skylarov]
Enhance collaboration between law enforcement and industry to prevent and prosecute cyber crimes

Cybercrime and [the] Cyber Security Programme
Understanding the role of the medium – incidental [blackmail, stalking]; content [obscene or sensitive material]; integrity [unauthorised access and/or modification]
The criminal act – discovery [detection] and analysis
The Cybercrime Manual – fostering preparedness
Focussing on ‘relevant’ issues and appropriate classification of offences
Cyber forensics and the collection of evidence
Crisis management [internal and external]

Key Components of a Cyber Security Programme
The Team [Member of the Board, Human Resources Manager, Chief Information Officer, Legal Counsel, E-Risk Management Consultant, Internet Security Expert, Cyberinsurance broker]
Utilising and factoring security tools – Digital signatures are a ‘sign of our times’
Understanding and evaluating risks [internal and external]
Allocating roles and responsibilities - Structuring the audit process [examining use and abuse]
Ten Tips – [i] Firewalls with secure passwords; [ii] correct installation and maintenance [the human angle]; [iii] encryption; [iv] assign network administrators a security role; [v] External consultants and auditors; [vi] periodic security audits; [vii] do not ignore ‘small company’ security needs; [viii] limit access to the computer room; [ix] educate employees about the dangers of social engineering; [x] educate employees on potential threats.

Structuring a Cyber Security Manual
A training process for legal compliance
The Basics: the “machine” and the “medium” – What is a Cybercrime?
Develop programs that promote a culture of security within and across enterprises, including corporate governance, integration of physical and cyber security, and cyber ethics from school to the office
Engage with industry, academia and government in both countries to foster research and development and collaborative education efforts in information security

The Information Technology Act, 2000
Chapter I: Preliminary [Definitions]
Chapter II: Digital Signatures and Electronic Signatures
Chapter III: Electronic Governance
Chapter IV: Attribution, Acknowledgement and Dispatch of Electronic Records
Chapter V: Secure Electronic Records and Secure Electronic Signatures
Chapter VI: Regulation of Certifying Authorities
Chapter VII: Electronic Signature Certificates

The Information Technology Act, 2000
Chapter VIII: Duties of Subscribers
Chapter IX: Penalties, Compensation and Adjudication
Chapter X: The Cyber Appellate Tribunal
Chapter XI: Offences
Chapter XII: Intermediaries not to be liable in certain cases
Chapter XIIA: Examiner of Electronic Evidence
Chapter XIII: Miscellaneous

‘ Offences’ under the Indian Information Technology Act, 2000
Tampering with computer source documents/‘code’ [Section 65];
Transmission of Offensive Messages through Communication [Section 66A];
Dishonest receipt of stolen computer resource or communication device [Section 66B];
Punishment for Identity Theft [Section 66C];
Cheating by personation using computer resource [Section 66D];
Violation of Privacy [Section 66E]
Cyber Terrorism [Section 66F];
Publishing or transmitting obscene material in electronic form [Section 67]; Publishing or transmitting of material containing sexually explicit act in electronic form [Section 67A]; Publishing or transmitting of material depicting children in sexually explicit act in electronic form [Section 67B].

Data Privacy and the National Cyber Security Program Data Privacy and Indian Law Rodney D. Ryder Scriboard

Privacy concerns
A fundamental human right
the right of the individual to be let alone
Information Privacy (data protection) - personal data
Bodily privacy - invasive procedures - search, drug testing; genetic testing; etc
Communications Privacy - mail, telephone, e-mail etc
Territorial privacy - domestic privacy; CCTV; ID checks etc
“ Public” aspects - surveillance, police powers and national security
“ Private” aspects - commercial use of data

Growth of Importance of Privacy
Overview - major International and US regulations
1948 UN Universal Declaration of Human Rights
1970 US Fair Credit Reporting Act
1974 US Privacy Act
1976 International Covenant on Civil and Political Rights
1980 OECD Guidelines on Protection of Privacy
1980 US Privacy Protection Act
1995 European Commission Directive on Data Protection
1994 US Communications Assistance to Law Enforcement Act
1996 US Health Insurance Portability and Accountability Act
1998 US Children's Online Privacy Protection Act
1998 European Member States implement Directive
1999 US Financial Services Modernization Act
Rodney D. Ryder Scriboard BUSINESS ISSUES HUMAN RIGHTS

Privacy and Data Protection law in India
There is no general privacy or data protection law in India:
Constitution Article 21
Right to life and liberty, interpreted by Supreme Court as including the “right to be let alone”
International Covenant on Civil and Political Rights 1966 Article 17:
No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Law of privacy (Tort Law) – Action for unlawful invasion of privacy

The [Indian] Information Technology Act, 2000
Information Technology Act 2000
Section 43 (a)
Penalty for unauthorised access to a computer system
Section 43 (b) -
Penalty for unauthorised downloading or copying of data without permission
Section 72 -
Offence of accessing any electronic record, book, register, correspondence, information, document or other material and, without the consent of the person concerned , disclosing such information to another person

Current law in India
Public Financial Institutions Act of 1983 codifies confidentiality of bank transactions
ISPs prohibited from violating privacy rights of subscribers by virtue of the licence to operate granted by the Department of Telecommunications
A general data protection law in India?
National Task Force on IT and Software Development 1998 Submitted “IT Action Plan” calling for “National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data” but no Act introduced to date

Possible approaches to Data Protection Data Protection Worldwide Rodney D. Ryder Scriboard

Data Protection legislation worldwide NONE PENDING IN PLACE EUD or ‘ADEQUATE’
AFGHANISTAN
ALBANIA
ALGERIA
AMERICAN SAMOA
ANDORRA
ANGOLA
ANGUILLA
ANTARCTICA
ANTIGUA AND BARBUDA
ARGENTINA
ARMENIA
ARUBA
AUSTRALIA
AUSTRIA
AZERBAIJAN
BAHAMAS
BAHRAIN
BANGLADESH
BARBADOS
BELARUS
BELGIUM
BELIZE
BENIN
BERMUDA
BHUTAN
BOLIVIA
BOSNIA AND HERZEGOVINA
BOTSWANA
BOUVET ISLAND
BRAZIL
BRITISH INDIAN OCEAN TERRITORY
BRUNEI DARUSSALAM
BULGARIA
BURKINA FASO
BURUNDI
CAMBODIA
CAMEROON
CANADA
CAPE VERDE
CAYMAN ISLANDS
CENTRAL AFRICAN REPUBLIC CHAD CHILE CHINA CHRISTMAS ISLAND COCOS (KEELING) ISLANDS COLOMBIA COMOROS CONGO COOK ISLANDS COSTA RICA COTE D'IVOIRE CROATIA CUBA CYPRUS CZECH REPUBLIC DENMARK DJIBOUTI DOMINICA DOMINICAN REPUBLIC EAST TIMOR ECUADOR EGYPT EL SALVADOR EQUATORIAL GUINEA ERITREA ESTONIA ETHIOPIA FALKLAND ISLANDS (MALVINAS) FAROE ISLANDS FIJI FINLAND FRANCE FRENCH GUIANA FRENCH POLYNESIA FRENCH SOUTHERN TERRITORIES GABON GAMBIA GEORGIA GERMANY GHANA GIBRALTAR GREECE GREENLAND GRENADA GUADELOUPE GUAM GUATEMALA GUINEA GUINEA-BISSAU GUYANA HAITI HEARD ISLAND AND MCDONALD ISLANDS HOLY SEE (VATICAN CITY STATE) HONDURAS HONG KONG HUNGARY ICELAND INDIA INDONESIA IRAN IRAQ IRELAND ISRAEL ITALY JAMAICA JAPAN JORDAN KAZAKSTAN KENYA KIRIBATI KUWAIT KYRGYZSTAN LAO PEOPLE'S DEMOCRATIC REPUBLIC LATVIA LEBANON LESOTHO LIBERIA LIBYAN ARAB JAMAHIRIYA LIECHTENSTEIN LITHUANIA OURG LUXEMBOURG MACAU MACEDONIA MADAGASCAR MALAWI MALAYSIA MALDIVES MALI MALTA MARSHALL ISLANDS MARTINIQUE MAURITANIA MAURITIUS MAYOTTE MEXICO MICRONESIA, FEDERATED STATES OF MOLDOVA, REPUBLIC OF MONACO MONGOLIA MONTSERRAT MOROCCO MOZAMBIQUE MYANMAR NAMIBIA NAURU NEPAL NETHERLANDS NETHERLANDS ANTILLES NEW CALEDONIA NEW ZEALAND NICARAGUA NIGER NIGERIA NIUE NORFOLK ISLAND NORTH KOREA NORTHERN MARIANA ISLANDS NORWAY OMAN PAKISTAN PALAU PALESTINIAN TERRITORY, OCCUPIED PANAMA PAPUA NEW GUINEA PARAGUAY PERU PHILIPPINES PITCAIRN POLAND PORTUGAL PUERTO RICO QATAR REUNION ROMANIA RUSSIAN FEDERATION RWANDA SAINT HELENA SAINT KITTS AND NEVIS SAINT LUCIA SAINT PIERRE AND MIQUELON SAINT VINCENT AND THE GRENADINES SAMOA SAN MARINO SAO TOME AND PRINCIPE SAUDI ARABIA SENEGAL SEYCHELLES SIERRA LEONE SINGAPORE SLOVAKIA SLOVENIA SOLOMON ISLANDS SOMALIA SOUTH AFRICA SOUTH GEORGIA SOUTH KOREA SPAIN SRI LANKA SUDAN SURINAME SVALBARD AND JAN MAYEN SWAZILAND SWEDEN SWITZERLAND SYRIAN ARAB REPUBLIC TAIWAN TAJIKISTAN TANZANIA, UNITED REPUBLIC OF THAILAND TOGO TOKELAU TONGA TONGA TRINIDAD AND TOBAGO TUNISIA TURKEY TURKMENISTAN TURKS AND CAICOS ISLANDS TUVALU UGANDA UKRAINE UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES (safe harbor) US MINOR OUTLYING ISLANDS URUGUAY UZBEKISTAN VANUATU VENEZUELA VIET NAM VIRGIN ISLANDS, BRITISH VIRGIN ISLANDS, U.S. WALLIS AND FUTUNA WESTERN SAHARA YEMEN YUGOSLAVIA ZAMBIA ZIMBABWE Rodney D. Ryder Scriboard

Industrialised Countries Legislation timeline Rodney D. Ryder Scriboard South Korea eCommerce Act In force January 1999 New Zealand Privacy Act In force 1 July 1993 United States (includes) CPP Act 1984 VPP Act 1988 COPP Act 1998 In force 21 April 2000 HIPA Act In force 14 April 2001 GLB Act In force 1 July 2001 ‘ General’ Act Under consideration Finland Personal DP Act In force 1 June 1999 Denmark Act on Processing f PD In force 1 July 2000 Luxembourg - Netherlands Law on Protection PD ct In force 1 Sep 2001 Greece Protection Processing In force 10 April 1997 Ireland - Eastern Europe Estonia (96) Poland (98) Solovak (98) Slovenia (99) Hungary (99) Czech (00) Latvia (00) Lithuania (00) Portugal Personal DP Act In force 27 October 1998 Spain Data Protection Act In force 13 January 2000 Canada PIP&ED Act Commenced 1 Jan 2001 United Kingdom Data Protection Act In force 1 March 2000 France - Australia Privacy Act In force 21 Dec 2001 Sweden Personal Data Act In force 24 October 1998 Belgium Data Protection Act In force 1 Sep 2001 Norway Personal D Reg Act In force 14 April 2000 Italy Data Protection Act In force 8 May 1997 Austria Data Protection Act In force 1 January 2000 Germany Data Protection Act In force 23 May 2001 Switzerland Data Protection Act In force 1 June 1999 Taiwan Computer Processed DP In force 11 August 1995 Hong Kong Personal Data (Privacy ) In force 20 Dec 1996 Mexico eCommerce Act In force 7 June 2000

Possible approaches to Data Protection Data Protection in Europe Rodney D. Ryder Scriboard

European Data Protection Directive
Directive 95/46/EC of the European Commission
Now implemented in almost all Member States
e.g. UK previously - UK Data Protection Act 1984 now - UK Data Protection Act 1998 (in force March 2000) (“DPA”) Rodney D. Ryder Scriboard

UK DPA 1998 - The Eight Principles 1. Personal data must be processed fairly and lawfully 2. Personal data must be collected and used only for notified purposes. 3. Personal data must be adequate, relevant and not excessive. 4. Personal data must be accurate and, where necessary, kept up-to-date. 5. Personal data must only be retained for as long as is necessary to carry out the purposes for which it is collected. 6. Personal data must be processed in accordance with the rights of data subjects as set out under the 1998 Act. Rodney D. Ryder Scriboard

UK DPA 1998 - The Eight Principles 7. Appropriate technical and organisational measures must be in place to protect against unauthorised access, amendment or loss of personal data. There must be a contractual obligation, in writing, upon any data processor to comply with the relevant legislation and to ensure that such measures have been put in place. 8. Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data. Rodney D. Ryder Scriboard

Transfers of Personal Data from Europe to India The Eighth Principle Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data. Rodney D. Ryder Scriboard

Alternative Grounds: “Seventh-Principle” type contract
Notwithstanding lack of country adequate status, a Data Controller can nevertheless conclude there is adequate protection in respect of a particular transfer if:
There is sufficient protection for individual data subjects
Having regard to: - nature of data being transferred;
- purposes for processing;
- security measures in place;
- individual rights to redress if things go wrong
Note - all of these could be covered in a Seventh-Principle type contract

Possible models for India Data Protection in the USA Rodney D. Ryder Scriboard

Data Protection in the United States United States (Federal) Fair Credit Reporting Act 1970 Privacy Act 1974 Family Educational Rights and Privacy Act 1974 Cable TV Privacy Act 1974 Right to Financial Privacy Act 1978 Privacy Protection Act 1980 Cable Communications Policy Act 1984 Electronic Communications Privacy Act 1986 Video Privacy Protection Act 1988 Employee Polygraph Protection Act 1988 Telephone Consumer Protection Act 1991 Driver’s Privacy Protection Act 1994 Communications Assistance to Law Enforcement Act 1994 Health Insurance Portability and Accountability Act 1996 Children's Online Privacy Protection Act 1998 Deceptive Mail Prevention and Enforcement Act 1999 Financial Services Modernization Act 1999 ‘ General’ Act Under consideration? Safe Harbor In effect 2001
Self certified compliance with ‘adequate’ principles
Regulatory enforcement of trade practices legislation

US Safe Harbor - self regulation
However, only 356 companies in the whole of the United States have current Safe Harbor registrations
This raises questions as to the credibility of the safe harbor regime
Safe Harbor also only addresses transfers of data from abroad, and does not offer comprehensive protection for US citizens

Balancing Privacy & Security - terrorism
Antiterrorism Acts:
USA <the Patriot Act>
26 October 2001
Canada 16 October 2001
India <Prevention of Terrorism Act>
easier to use electronic surveillance
continue and clarify the mandate of the law enforcement to collect foreign communications
requires individuals who have information related to a terrorist groups to appear before a judge to provide that information
extending DNA data bank to include terrorist crimes
Issues
enhanced investigative powers
will governments enforce privacy laws?
US, Canada, UK, EU, Australia
Thoughts
data protection enforcement is generally complaint based
public continually stress privacy concerns
good privacy is good business
erosion of privacy is a win for terrorism

Digital Rights Management Digital Rights Management Rodney D. Ryder Scriboard

Copyright Law and Practice: a historical timeline Technology and the Law – the stages of copyright law The ‘monastic’ or ‘gurukul’ [oral tradition] The birth of copyright [Gutenberg and the Printing Press] The era of promiscuity: the Internet and Technology [the WIPO Copyright Treaty and the ‘DMCA’] The ‘World’s Biggest Copying Machine’ [PC Week; January 27, 1997] Rodney D. Ryder Scriboard

Copyright and the Internet [Technological Developments and the Law]
Digitisation [unlike analogue copies, which degrade with each copy; digital media allows perfect copies to be made indefinitely]
Digital Compression Technologies [MP3 for music – large media files can be compressed without a loss in quality]
Bandwidth [increased availability of high-speed internet connectivity further aids distribution of high quality digital files]

Napster – the file sharing mechanism [A & M Records, Inc. v. Napster, Inc.; 239 F. 3d 1004; 9 th Cir. 2001] Rodney D. Ryder Scriboard

Bit Torrent – the tracker device Rodney D. Ryder Scriboard

Preventing Piracy [I] – Technical Measures Copy Protection [Encryption – encoding digital content to prevent it from being viewed; Copy Control Flags – digital ‘flags’ inserted as indicators; CD Copy Protection – insertion of an ‘additional’ track to prevent unauthorised recording] Copyright Protection [Digital Watermarking – digital signals embedded to detect or verify originality; Digital fingerprinting – digital signal embedded in the file containing information on the buyer] Cross-industry protection measures [Secure Digital Music Initiative [SDMI] – developed by a consortium of music companies; uses watermarking and copy protection] Rodney D. Ryder Scriboard

Preventing Piracy [I] – Circumvention Measures
Circumvention Technologies – primarily aimed at bypassing the range of technical measures [described in the previous slide]
Software approaches include the decryption and translation of files
DeCSS [and similar programmes] that allows users to decrypt DVD files
Programme designed to remove protection from Adobe’s e-Book Reader [Dmitry Skylarov]

Digital Rights Management, Anti-Circumvention, the DMCA and Dmitry Sklyarov
The Digital Millennium Copyright Act [DMCA] - Prohibition on Circumvention:
i) Making the technology/device for bypassing
ii) Selling the Circumvention technology/devices
iii) Publishing information on the circumvention technology/device.
Dmitry Skylarov: Russian programmer with ElcomSoft Co. Ltd.
Circumvented Adobe e-Book files’ encryption
Does the DMCA apply in Russia?
‘ Arrested’ and charged for 25 years imprisonment under the DMCA.

Electronic Mark Rodney D. Ryder Scriboard

Electronic Mark: an illustration Rodney D. Ryder Scriboard

Digital Rights Management Software Rodney D. Ryder Scriboard

Digital Rights Management: the law and technology partnership Rodney D. Ryder Scriboard

Any questions? Rodney D. Ryder Scriboard

Internet Security and Legal Compliance Regulating Cyberspace – Version 2.0 Rodney D. Ryder [email_address] Technology, Media and Communications

Internet Security and Legal Compliance: Cyber Law in India

by Rodney D. Ryder on Jun 13, 2011

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 3

Statistics

Internet Security and Legal Compliance: Cyber Law in India Presentation Transcript